incident response at scale - black hat
TRANSCRIPT
Incident Response at ScaleBuilding a next generation SOC
Omer Cohen@omercnet
Who?
● 15+ years Information Security experience
● Sr. Paranoid, Global IR Lead, Yahoo!
● Co-Founder, VP IR, IL-CERT
● ISACA CSX Task Force
● Licensed Skydiver, 996 jumps
Security Operations Center?
Security Operations Center in real life
http://securityreactions.tumblr.com/
205 daysbefore detecting a security breach
Mandiant M-Trends® 2015
© BreachLevelIndex.com
Majority of any given SOC shift
http://securityreactions.tumblr.com/
Why?
Triaging a malware eventSIEM Alert
Triaging a malware eventSIEM Alert ->
Analyst collects information
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident ->
Analyst opens ITSM re-image ticket
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident ->
Analyst opens ITSM re-image ticket ->
System re-image
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident ->
Analyst opens ITSM re-image ticket ->
System re-image ->
Incident closed
Forensics at Scale?
How?
Incident Response on a tight budget
http://securityreactions.tumblr.com/
Better junior analysts
● Junior Analysts have a steep learning curve
● Company specific play-books
● Senior analysts focus on investigations
Let’s automate
Automation overkill
http://securityreactions.tumblr.com/
Triaging a malware eventSIEM Alert
SIEM Alert ->
Automagically collect endpoint information
Triaging a malware event
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU
Triaging a malware event
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident
Triaging a malware event
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident ->
Automagically open ITSM re-image ticket
Triaging a malware event
How your team SHOULD respond to incidents
http://securityreactions.tumblr.com/
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident ->
Automagically open ITSM re-image ticket ->
System re-imaged
Triaging a malware event
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident ->
Automagically open ITSM re-image ticket ->
System re-imaged ->
Incident closed
Triaging a malware event
Integrate APIs into Incident Response● Endpoint information
○ Host Asset Management○ HR Systems
Integrate APIs into Incident Response● Endpoint information
○ Host Asset Management○ HR Systems
● IOC Lookups○ Threat Exchange○ Virus Total○ IOC Management Systems
https://facebook.com/threatexchange
https://github.com/facebook/ThreatExchange/
Automatic e-Crime detection?
Automatic e-Crime detection?
Integrate APIs into Incident Response● Communications
○ STOP USING EMAIL (least for full reports)○ Incident Management Systems (not your SIEM)○ Alerts on messaging systems (IM/hipchat/slack/whatsapp/etc.)
Integrate APIs into Incident Response● Communications
○ STOP USING EMAIL (least for full reports)○ Incident Management Systems (not your SIEM)○ Alerts on messaging systems (IM/hipchat/slack/whatsapp/etc.)
● Automate the response○ Open reimage tickets in ITSM○ Send out incident digest reports
Benefits of automation
Benefits of automation
Benefits of automation
● Reduce triage time
● Reduce response time
● Ensure all tasks are completed